Skip to content

Ensure 'ssl_type' Is Set to 'ANY', 'X509', or 'SPECIFIED' for All Remote Users


All network traffic must use SSL/TLS when traveling over untrusted networks.


The SSL/TLS-protected MySQL protocol helps to prevent eavesdropping and man-in-the-middle attacks. It should be enforced on a per-user basis for those users that access the server through the network.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { isEmpty, isEmptyArray } = module

 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if all remote users are enforcing SSL 
function validate(databaseSettings) {

  var success = true;
  if (databaseSettings && !isEmptyArray(databaseSettings.users)) {
    var hosts = ['::1','','localhost']
    var sslTypes = ['any','x509','specified']  

    // look for remote users without SSL enabled
    const remoteUsersWithoutSsl = 
         databaseSettings.users.filter(user => user.mysql && 
                                       user.mysql.usersTableSnapshot &&
                                       !isEmpty( &&
                                       !hosts.includes( &&
                                       (isEmpty(user.mysql.usersTableSnapshot.sslType) ||

    success = isEmptyArray(remoteUsersWithoutSsl)

  return {

// invoke